📄 rfc1196.txt
字号:
RFC 1196 Finger December 1990
in the user information output, or at worst be ignored.
2.5.5. Vending machines
Vending machines SHOULD respond to a {C} request with a list of all
items currently available for purchase and possible consumption.
Vending machines SHOULD respond to a {U}{C} request with a detailed
count or list of the particular product or product slot. Vending
machines should NEVER NEVER EVER eat requests. Or money.
3. Security
3.1. Implementation security
Sound implementation of Finger is of the utmost importance.
Implementations should be tested against various forms of attack. In
particular, an RUIP SHOULD protect itself against malformed inputs.
Vendors providing Finger with the operating system or network
software should subject their implementations to penetration testing.
Finger is one of the avenues for direct penetration, as the Morris
worm pointed out quite vividly. Like Telnet, FTP and SMTP, Finger is
one of the protocols at the security perimeter of a host.
Accordingly, the soundness of the implementation is paramount. The
implementation should receive just as much security scrutiny during
design, implementation, and testing as Telnet, FTP, or SMTP.
3.2. RUIP security
Warning!! Finger discloses information about users; moreover, such
information may be considered sensitive. Security administrators
should make explicit decisions about whether to run Finger and what
information should be provided in responses. One existing
implementation provides the time the user last logged in, the time he
last read mail, whether unread mail was waiting for him, and who the
most recent unread mail was from! This makes it possible to track
conversations in progress and see where someone's attention was
focused. Sites that are information-security conscious should not
run Finger without an explicit understanding of how much information
it is giving away.
3.2.1. {Q2} refusal
For individual site security concerns, the system administrator
SHOULD be given an option to individually turn on or off RUIP
processing of {Q2}. If RUIP processing of {Q2} is turned off, the
RUIP MUST return a service refusal message of some sort. "Finger
forwarding service denied" is adequate. The purpose of this is to
Zimmerman [Page 7]
RFC 1196 Finger December 1990
allow individual hosts to choose to not forward Finger requests, but
if they do choose to, to do so consistently.
Overall, there are few cases which would warrant processing of {Q2}
at all, and they are far outweighed by the number of cases for
refusing to process {Q2}. In particular, be aware that if a machine
is part of security perimeter (that is, it is a gateway from the
outside world to some set of interior machines), then turning {Q2} on
provides a path through that security perimeter. Therefore, it is
RECOMMENDED that the default of the {Q2} processing option be to
refuse processing. It certainly should not be enabled in gateway
machines without careful consideration of the security implications.
3.2.2. {C} refusal
For individual site security concerns, the system administrator
SHOULD be given an option to individually turn on or off RUIP
acceptance of {C}. If RUIP processing of {C} is turned off, the RUIP
MUST return a service refusal message of some sort. "Finger online
user list denied" is adequate. The purpose of this is to allow
individual hosts to choose to not list the users currently online.
3.2.3. Atomic discharge
All implementations of Finger SHOULD allow individual system
administrators to tailor what atoms of information are returned to a
query. For example:
- Administrator A should be allowed to specifically choose to
return office location, office phone number, home phone
number, and logged in/logout time.
- Administrator B should be allowed to specifically choose to
return only office location, and office phone number.
- Administrator C should be allowed to specifically choose to
return the minimum amount of required information, which is
the person's full name.
3.2.4. User information files
Allowing an RUIP to return information out of a user-modifiable file
should be seen as equivalent to allowing any information about your
system to be freely distributed. That is, it is potentially the same
as turning on all specifiable options. This information security
breach can be done in a number of ways, some cleverly, others
straightforwardly. This should disturb the sleep of system
administrators who wish to control the returned information.
Zimmerman [Page 8]
RFC 1196 Finger December 1990
3.2.5. Execution of user programs
Allowing an RUIP to run a user program in response to a Finger query
is potentially dangerous. BE CAREFUL!! -- the RUIP MUST NOT allow
system security to be compromised by that program. Implementing this
feature may be more trouble than it is worth, since there are always
bugs in operating systems, which could be exploited via this type of
mechanism.
3.2.6. {U} ambiguity
Be aware that a malicious user's clever and/or persistent use of this
feature can result in a list of most of the usernames on a system.
Refusal of {U} ambiguity should be considered in the same vein as
refusal of {C} requests (see section 3.2.2).
3.2.7. Audit trails
Implementations SHOULD allow system administrators to log Finger
queries.
3.3. Client security
It is expected that there will normally be some client program that
the user runs to query the initial RUIP. By default, this program
SHOULD filter any unprintable data, leaving only printable 7-bit
characters (ASCII 32 through ASCII 126), tabs (ASCII 9), and CRLFs.
This is to protect against people playing with terminal escape codes,
changing other peoples' X window names, or committing other dastardly
or confusing deeds. Two separate user options SHOULD be considered
to modify this behavior, so that users may choose to view
international or control characters:
- one to allow all characters less than ASCII 32
- another to allow all characters greater than ASCII 126
For environments that live and breathe international data, the system
administrator SHOULD be given a mechanism to enable the latter option
by default for all users on a particular system. This can be done
via a global environment variable or similar mechanism.
Zimmerman [Page 9]
RFC 1196 Finger December 1990
4. Examples
4.1. Example with a null command line ({C})
Site: elbereth.rutgers.edu
Command line: <CRLF>
Login Name TTY Idle When Office
rinehart Mark J. Rinehart p0 1:11 Mon 12:15 019 Hill x3166
greenfie Stephen J. Greenfiel p1 Mon 15:46 542 Hill x3074
rapatel Rocky - Rakesh Patel p3 4d Thu 00:58 028 Hill x2287
pleasant Mel Pleasant p4 3d Thu 21:32 019 Hill 908-932-
dphillip Dave Phillips p5 021: Sun 18:24 265 Hill x3792
dmk David Katinsky p6 2d Thu 14:11 028 Hill x2492
cherniss Cary Cherniss p7 5 Mon 15:42 127 Psychol x2008
harnaga Doug Harnaga p8 2:01 Mon 10:15 055 Hill x2351
brisco Thomas P. Brisco pe 2:09 Mon 13:37 h055 x2351
laidlaw Angus Laidlaw q0 1:55 Mon 11:26 E313C 648-5592
cje Chris Jarocha-Ernst q1 8 Mon 13:43 259 Hill x2413
4.2. Example with name specified ({U}{C})
Site: dimacs.rutgers.edu
Command line: pirmann<CRLF>
Login name: pirmann In real life: David Pirmann
Office: 016 Hill, x2443 Home phone: 989-8482
Directory: /dimacs/u1/pirmann Shell: /bin/tcsh
Last login Sat Jun 23 10:47 on ttyp0 from romulus.rutgers.
No unread mail
Project:
Plan:
Work Schedule, Summer 1990
Rutgers LCSR Operations, 908-932-2443
Monday 5pm - 12am
Tuesday 5pm - 12am
Wednesday 9am - 5pm
Thursday 9am - 5pm
Saturday 9am - 5pm
larf larf hoo hoo
Zimmerman [Page 10]
RFC 1196 Finger December 1990
4.3. Example with ambiguous name specified ({U}{C})
Site: elbereth.rutgers.edu
Command line: ron<CRLF>
Login name: spinner In real life: Ron Spinner
Office: Ops Cubby, x2443 Home phone: 463-7358
Directory: /u1/spinner Shell: /bin/tcsh
Last login Mon May 7 16:38 on ttyq7
Plan:
ught i
ca n
m a
' ... t
I . . i
! m
! ! e
p !pool
l
e
H
Login name: surak In real life: Ron Surak
Office: 000 OMB Dou, x9256
Directory: /u2/surak Shell: /bin/tcsh
Last login Fri Jul 27 09:55 on ttyq3
No Plan.
Login name: etter In real life: Ron Etter
Directory: /u2/etter Shell: /bin/tcsh
Never logged in.
No Plan.
4.4. Example of query type {Q2} ({U}{H}{H}{C})
Site: dimacs.rutgers.edu
Command line: hedrick@math.rutgers.edu@pilot.njin.net<CRLF>
[pilot.njin.net]
[math.rutgers.edu]
Login name: hedrick In real life: Charles Hedrick
Office: 484 Hill, x3088
Directory: /math/u2/hedrick Shell: /bin/tcsh
Last login Sun Jun 24 00:08 on ttyp1 from monster-gw.rutge
No unread mail
No Plan.
Zimmerman [Page 11]
RFC 1196 Finger December 1990
5. Acknowledgments
Thanks to everyone in the Internet Engineering Task Force for their
comments. Special thanks to Steve Crocker for his security
recommendations and prose.
6. Security Considerations
Security issues are discussed in Section 3.
7. Author's Address
David Paul Zimmerman
Center for Discrete Mathematics and
Theoretical Computer Science
Rutgers University
P.O. Box 1179
Piscataway, NJ 08855-1179
Phone: (908)932-4592
EMail: dpz@dimacs.rutgers.edu
Zimmerman [Page 12]
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -